Legend: ✅ = supported • ⚠️ = limited/indirect • ❌ = not supported
| # | Capability | K8s Service (ClusterIP / NodePort) | AWS NLB (L4) | AWS ALB (L7) | Amazon API Gateway (REST/HTTP/WebSocket) | Istio / Envoy / Traefik (service mesh / gateways) |
|---|---|---|---|---|---|---|
| 1 | Basic gRPC communication | ✅ (in-cluster TCP/HTTP/2) | ✅ (TCP/TLS pass-through) | ✅ (HTTP/2 end-to-end incl. gRPC) (Amazon Web Services, Inc.) | ❌ (no native gRPC; use translation/proxy) | ✅ |
| 2 | Internal service-to-service gRPC | ✅ (ClusterIP) | ⚠️ possible via internal NLB, uncommon | ⚠️ possible via internal ALB, uncommon | ❌ (private APIs exist, but not gRPC) | ✅ (the mesh sweet spot) |
| 3 | External gRPC exposure | ❌ (ClusterIP), ⚠️ NodePort (raw) | ✅ | ✅ (AWS Documentation) | ❌ (not native gRPC) | ✅ (via ingress gateway) |
| 4 | gRPC load balancing | ✅ (per-connection RR) | ✅ (L4) | ✅ (L7; HTTP/2 to targets) (Amazon Web Services, Inc.) | ❌ | ✅ (advanced, per-method, etc.) |
| 5 | Path-based routing (L7, gRPC aware) | ❌ | ❌ | ✅ | ❌ for gRPC (yes for HTTP) | ✅ |
| 6 | Host-based routing (virtual hosts) | ❌ | ❌ | ✅ (Host header rules) (Amazon Web Services, Inc.) | ✅ (via custom domains; see notes) | ✅ |
| 7 | Weighted routing (canary/A-B) | ❌ | ❌ | ✅ (weighted target groups) (Amazon Web Services, Inc.) | ✅ (stage canaries) (AWS Documentation) | ✅ |
| 8 | Circuit breaking | ❌ | ❌ | ❌ | ❌ | ✅ |
| 9 | gRPC retries & timeouts | ❌ | ❌ | ❌ (only idle timeouts) | ⚠️ timeouts yes, retries limited | ✅ |
| 10 | mTLS (client cert auth) | ❌ (done in app) | ❌ mTLS at NLB (can pass through to app) (AWS Documentation) | ✅ (ALB mTLS verify/passthrough modes) (AWS Documentation) | ✅ (custom domains mTLS) (AWS Documentation) | ✅ |
| 11 | API auth (JWT/OIDC/OAuth/keys) | ❌ | ❌ | ✅ (Cognito/OIDC authenticate action) (AWS Documentation) | ✅ (JWT/OIDC/keys) (AWS Documentation) | ✅ (JWT, OPA/Ext AuthZ) |
| 12 | Rate limiting / throttling | ❌ | ❌ | ✅ via AWS WAF on ALB (AWS Documentation) | ✅ (built-in) | ✅ |
| 13 | Request/response transforms | ❌ | ❌ | ⚠️ headers only (no body transform) | ✅ (mapping templates/param mapping) (AWS Documentation) | ✅ (filters/Lua/Envoy) |
| 14 | Header-based routing | ❌ | ❌ | ✅ (rule conditions) (AWS Documentation) | ✅ (new) dynamic routing by headers/base path (custom domains) (Amazon Web Services, Inc.) | ✅ |
| 15 | TLS termination (HTTPS for gRPC) | ❌ (app terminates) | ✅ (TLS listener; watch h2c to backends) (kubernetes-sigs.github.io) | ✅ | ✅ | ✅ |
| 16 | Observability (logs/metrics/traces) | ⚠️ (via app/Prometheus) | ⚠️ (CloudWatch metrics) | ⚠️ (CW metrics + access logs) | ✅ (CW logs/metrics, X-Ray) | ✅ (Prometheus/Jaeger/OTel) |
| 17 | “API gateway” features (quotas, keys, usage plans) | ❌ | ❌ | ❌ | ✅ | ✅ (via gateway add-ons) |
| 18 | WebSocket & streaming support | ✅ (TCP) | ✅ | ✅ | ✅ (WebSocket APIs) | ✅ |
| 19 | Service discovery | ✅ (kube-DNS) | ❌ | ❌ | ❌ | ✅ (mesh SD) |
| 20 | Canary / blue-green deployments | ⚠️ (via K8s/rollouts) | ❌ | ✅ (weighted TG) (Amazon Web Services, Inc.) | ✅ (stage canary %) (AWS Documentation) | ✅ |
| 21 | Multi-cluster gRPC routing | ❌ | ❌ | ❌ | ❌ | ✅ (Istio multi-cluster) |
| 22 | Obs dashboards (Grafana/Jaeger/Prom) | ⚠️ (DIY) | ❌ | ❌ | ⚠️ (CW/X-Ray dashboards) | ✅ |
| 23 | Integrate with AWS Lambda | ❌ | ❌ | ✅ (Lambda targets) (AWS Documentation) | ✅ (native) | ❌ |
| 24 | Auto-failover / self-healing | ⚠️ via K8s readiness/endpoints | ✅ (health-based) | ✅ (health-based) | ✅ (regional HA) | ✅ (retries/outlier detection) |
Notes & gotchas
- API Gateway & gRPC: API Gateway doesn’t natively terminate/route gRPC. If you need an API façade in front of gRPC, use grpc-gateway (REST↔︎gRPC translation) or put ALB (or CloudFront) in front of your gRPC origin. (grpc-ecosystem.github.io)
- ALB + gRPC: ALB supports HTTP/2 end-to-end and gRPC health checks—this is the recommended L7 option on AWS for public gRPC. (Amazon Web Services, Inc.)
- mTLS:
- ALB now supports mTLS (verify mode with trust stores or passthrough). (AWS Documentation)
- NLB does not do client-certificate auth (mTLS). You can either terminate TLS at your app (TCP listener pass-through) or switch to ALB for mTLS. (AWS Documentation)
- API Gateway supports mTLS on custom domains for REST/HTTP APIs. (AWS Documentation)
- Header-based routing with API Gateway: Newly added in 2026 for custom domains; you can route by HTTP header values and/or base path (this is HTTP/REST—still not gRPC). (Amazon Web Services, Inc.)
- Weighted routing:
- ALB: multiple weighted target groups in a forward action (great for canary/blue-green). (Amazon Web Services, Inc.)
- API Gateway: stage canaries (% traffic). (AWS Documentation)
- NLB: no weighted rule concept. (AWS Documentation)
- Auth at ALB (OIDC/Cognito): ALB “authenticate” action (HTTPS only). Use it for browser flows; headless gRPC clients won’t follow redirects—prefer JWT at gateway/mesh for programmatic RPC. (AWS Documentation)
- Rate limiting on ALB: attach AWS WAF rate-based rules to the ALB. (AWS Documentation)
If you want, I can export this as a one-page PDF/cheat sheet and tailor it to your stack (what you actually plan to run where).
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services — all in one place.
Explore Hospitals